Re: working for wheezy-security until wheezy-lts starts
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote: [..snip..] > >>Issues that are unfixed in wheezy but fixed in squeeze: > >>* aptdaemon-> CVE-2015-1323 > >>* cakephp -> TEMP-000-698CF7 > >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 > >>* eglibc -> CVE-2014-9761 > >>* extplorer-> CVE-2015-0896 > >>* fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E > >>* gosa -> CVE-2014-9760 CVE-2015-8771 > >>* gtk+2.0 -> CVE-2013-7447 > >>* icu -> CVE-2015-2632 > >>* imagemagick -> TEMP-0773834-5EB6CF > >>* imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 > >>* inspircd -> CVE-2015-8702 > >>* libebml -> CVE-2015-8790 CVE-2015-8791 > >>* libidn -> CVE-2015-2059 TEMP-000-54045E > >>* libmatroska -> CVE-2015-8792 > >>* libsndfile -> CVE-2014-9756 CVE-2015-7805 > >>* libstruts1.2-java-> CVE-2015-0899 > >>* libtorrent-rasterbar -> CVE-2015-5685 > >>* mono -> CVE-2009-0689 > >>* nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 > >>* optipng -> CVE-2015-7801 > >>* phpmyadmin -> CVE-2016-2039 CVE-2016-2041 > >>* pixman -> CVE-2014-9766 > >>* python-tornado -> CVE-2014-9720 > >>* roundcube-> CVE-2015-8770 > >>* srtp -> CVE-2015-6360 > >>* tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 > >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 > >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 > >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 > > > >I'm focusing on these picking older ones over newer ones to not stomp > >onto the security teams toes. > > Do you announce anywhere, that you will start working on a specific package? > Wouldn't it make sense to put all the packages listed below into > data/dsa-needed.txt (with approval from the Security Team) and then put our > names behind those package names? In order to avoid double work I added these to dsa-needed.txt and put my name on the line. Cheers, -- Guido
Re: working for wheezy-security until wheezy-lts starts
Hi Guido, On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote: * prepare a fixed package * test the package * send a .debdiff to t...@security.debian.org * wait for feedback and ideally permission to upload to wheezy-security That's what I'm doing at the moment (sending the debdiff to the bug report in case there is one as well) for issues that are unfixed (not no-dsa, see below). Ok. [..snip..] Issues that are unfixed in wheezy but fixed in squeeze: * aptdaemon-> CVE-2015-1323 * cakephp -> TEMP-000-698CF7 * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 * eglibc -> CVE-2014-9761 * extplorer-> CVE-2015-0896 * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E * gosa -> CVE-2014-9760 CVE-2015-8771 * gtk+2.0 -> CVE-2013-7447 * icu -> CVE-2015-2632 * imagemagick -> TEMP-0773834-5EB6CF * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 * inspircd -> CVE-2015-8702 * libebml -> CVE-2015-8790 CVE-2015-8791 * libidn -> CVE-2015-2059 TEMP-000-54045E * libmatroska -> CVE-2015-8792 * libsndfile -> CVE-2014-9756 CVE-2015-7805 * libstruts1.2-java-> CVE-2015-0899 * libtorrent-rasterbar -> CVE-2015-5685 * mono -> CVE-2009-0689 * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 * optipng -> CVE-2015-7801 * phpmyadmin -> CVE-2016-2039 CVE-2016-2041 * pixman -> CVE-2014-9766 * python-tornado -> CVE-2014-9720 * roundcube-> CVE-2015-8770 * srtp -> CVE-2015-6360 * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 I'm focusing on these picking older ones over newer ones to not stomp onto the security teams toes. Do you announce anywhere, that you will start working on a specific package? Wouldn't it make sense to put all the packages listed below into data/dsa-needed.txt (with approval from the Security Team) and then put our names behind those package names? @Security Team: Please guide the LTS contributors to a good way of supporting you. Would it make sense to add above packages to data/dsa-needed.txt so that then LTS contributors can grab packages from the dsa-needed.txt file and work on fixing the listed issues? Issues that are no-dsa in wheezy but fixed in squeeze: * augeas -> CVE-2012-0786 CVE-2012-0787 * binutils -> TEMP-000-A2945B * busybox -> TEMP-0803097-A74121 * chrony -> CVE-2016-1567 * dbconfig-common -> TEMP-0805638-5AC56F * dwarfutils -> CVE-2015-8750 * foomatic-filters -> TEMP-000-ACBC4C * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C * libemail-address-perl -> TEMP-000-F41FA7 * libfcgi-perl -> CVE-2012-6687 * librsvg -> CVE-2015-7557 * libsndfile -> CVE-2014-9496 * libunwind-> CVE-2015-3239 * openslp-dfsg -> CVE-2012-4428 * openssh -> CVE-2015-5352 CVE-2015-5600 * php5 -> CVE-2011-0420 CVE-2011-1657 * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 CVE-2015-5288 * python-scipy -> CVE-2013-4251 * python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912 * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 CVE-2015-1860 * remind -> CVE-2015-5957 * ruby1.8 -> CVE-2009-5147 * ruby1.9.1-> CVE-2009-5147 * t1utils -> CVE-2015-3905 * texlive-extra-> CVE-2012-2120 * tomcat6 -> CVE-2013-4590 * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749 """ I think these would be adressed via stable point release updates in wheezy/jessie rather than going via the security team. Yeah, if at all. I just listed them for completeness sake. Mike -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpilfX2MIOoU.pgp Description: Digitale PGP-Signatur
maintainer feedback on CVE-2014-8350 (smarty3)
Hi all, I have just looked at what it needs to fix CVE-2014-8350 for smarty3 [1]. Unfortunately, the fix [2] from between 3.1.20 and 3.1.21 is not trivial to backport to wheezy's 3.1.10 version. The packages that depend on smarty3 in Debian wheezy are these: o gosa + its plugins o slbackup-php o collabtive My recommendation 1 for wheezy and wheezy-lts is to continue providing support for smarty3 (as Debian Edu uses gosa and slbackup-php and I know various wheezy based installations of Debian Edu). My recommendation 2 for wheezy-lts (or even wheezy-security) is to take smarty3 3.1.21-1 from Debian jessie and provide that on Debian wheezy. From experience, I think to remember that gosa and slbackup-php from wheezy work fine with smarty3 3.1.21. However, if feedback from the security team and other LTS contributors reaches a consensus to go the version bump path, I would of course set up gosa and slbackup-php for being really sure on what I remember. Furthermore, I would set up a test instance of collabtive on wheezy, as well and check its functionality. Greets, Mike [1] https://security-tracker.debian.org/tracker/CVE-2014-8350 [2] https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de pgpwPjeOjKtTD.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 445-1] squid3 security update
Package: squid3 Version: 3.1.6-1.2+squeeze6 CVE ID : CVE-2016-2569 CVE-2016-2571 Debian Bug : 816011 Several security issues have been discovered in the Squid caching proxy. CVE-2016-2569 Squid wrongly checked boundaries of String data, making it possible for remote attackers to cause a Denial-of-Service by a crafted HTTP Vary header. Issue found by Mathias Fischer from Open Systems AG. CVE-2016-2571 Squid was susceptible to a Denial of Service caused by storing certain kind of data after failing to parse a response. Issue discovered by Alex Rousskov from The Measurement Factory For Debian 6 "Squeeze", these issues have been fixed in squid3 version 3.1.6-1.2+squeeze6. We recommend you to upgrade your squid3 packages. Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/ signature.asc Description: Digital signature
Re: Wiki update LTS/Using and EOL announcement
Hi Markus, On 29-02-16 21:56, Markus Koschany wrote: > If it helps I could remove the "Debian 7 Wheezy" part and write > "we recommend that you upgrade your systems". That fully resolves the issue I was having with the text. Paul signature.asc Description: OpenPGP digital signature
Re: Wiki update LTS/Using and EOL announcement
Am 29.02.2016 um 20:27 schrieb Paul Gevers: > Hi Markus, > > On 29-02-16 20:25, Matus UHLAR - fantomas wrote: >> you only can upgrade to wheezy directly. upgrade accross versions is not >> supported. > > I know, but that is not what I meant. I meant (and wrote), upgrade via > wheezy. Hi Paul, the target audience for this announcement are Squeeze LTS users who might have missed the recent Debian news [1] or who are otherwise unaware that Squeeze LTS ends after five years. Debian only supports upgrades to consecutive releases. Upgrading to Wheezy is the right choice, no matter if you decide to upgrade to the current stable release again. If it helps I could remove the "Debian 7 Wheezy" part and write "we recommend that you upgrade your systems". The important thing is, and I hope this announcement makes it sufficiently clear, Squeeze LTS will be no longer supported from now on, please upgrade at your earliest convenience. Regards, Markus [1] https://www.debian.org/News/2016/20160212 signature.asc Description: OpenPGP digital signature
Re: working for wheezy-security until wheezy-lts starts
Hi, On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote: > For this, we can run bin/lts-needs-forward-port.py from the secure-testing > repo and see what issues we fixed in squeeze and port those fixes to the > package version in wheezy-security. Package updates must be coordinated with > the Debian Security Team, not within the LTS team, though: > > * prepare a fixed package > * test the package > * send a .debdiff to t...@security.debian.org > * wait for feedback and ideally permission to upload to wheezy-security That's what I'm doing at the moment (sending the debdiff to the bug report in case there is one as well) for issues that are unfixed (not no-dsa, see below). [..snip..] > Issues that are unfixed in wheezy but fixed in squeeze: > * aptdaemon-> CVE-2015-1323 > * cakephp -> TEMP-000-698CF7 > * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 > * eglibc -> CVE-2014-9761 > * extplorer-> CVE-2015-0896 > * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E > * gosa -> CVE-2014-9760 CVE-2015-8771 > * gtk+2.0 -> CVE-2013-7447 > * icu -> CVE-2015-2632 > * imagemagick -> TEMP-0773834-5EB6CF > * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 > * inspircd -> CVE-2015-8702 > * libebml -> CVE-2015-8790 CVE-2015-8791 > * libidn -> CVE-2015-2059 TEMP-000-54045E > * libmatroska -> CVE-2015-8792 > * libsndfile -> CVE-2014-9756 CVE-2015-7805 > * libstruts1.2-java-> CVE-2015-0899 > * libtorrent-rasterbar -> CVE-2015-5685 > * mono -> CVE-2009-0689 > * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 > * optipng -> CVE-2015-7801 > * phpmyadmin -> CVE-2016-2039 CVE-2016-2041 > * pixman -> CVE-2014-9766 > * python-tornado -> CVE-2014-9720 > * roundcube-> CVE-2015-8770 > * srtp -> CVE-2015-6360 > * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 > CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 > CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 > CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 I'm focusing on these picking older ones over newer ones to not stomp onto the security teams toes. > > Issues that are no-dsa in wheezy but fixed in squeeze: > * augeas -> CVE-2012-0786 CVE-2012-0787 > * binutils -> TEMP-000-A2945B > * busybox -> TEMP-0803097-A74121 > * chrony -> CVE-2016-1567 > * dbconfig-common -> TEMP-0805638-5AC56F > * dwarfutils -> CVE-2015-8750 > * foomatic-filters -> TEMP-000-ACBC4C > * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 > CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C > * libemail-address-perl -> TEMP-000-F41FA7 > * libfcgi-perl -> CVE-2012-6687 > * librsvg -> CVE-2015-7557 > * libsndfile -> CVE-2014-9496 > * libunwind-> CVE-2015-3239 > * openslp-dfsg -> CVE-2012-4428 > * openssh -> CVE-2015-5352 CVE-2015-5600 > * php5 -> CVE-2011-0420 CVE-2011-1657 > * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 > CVE-2015-5288 > * python-scipy -> CVE-2013-4251 > * python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912 > * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 > CVE-2015-1860 > * remind -> CVE-2015-5957 > * ruby1.8 -> CVE-2009-5147 > * ruby1.9.1-> CVE-2009-5147 > * t1utils -> CVE-2015-3905 > * texlive-extra-> CVE-2012-2120 > * tomcat6 -> CVE-2013-4590 > * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 > CVE-2015-6749 > """ I think these would be adressed via stable point release updates in wheezy/jessie rather than going via the security team. Cheers, -- Guido
Re: Wiki update LTS/Using and EOL announcement
Hi Markus, On 29-02-16 20:25, Matus UHLAR - fantomas wrote: > you only can upgrade to wheezy directly. upgrade accross versions is not > supported. I know, but that is not what I meant. I meant (and wrote), upgrade via wheezy. Paul signature.asc Description: OpenPGP digital signature
Re: Wiki update LTS/Using and EOL announcement
On 29-02-16 12:35, Markus Koschany wrote: We recommend that you upgrade your systems to Debian 7 "Wheezy". On 29.02.16 19:59, Paul Gevers wrote: /me wonders, do we really recommend that? I would say we recommend our users to upgrade to the current stable (via Wheezy), no? And wheezy-lts is there for those that can't or won't upgrade now from wheezy to jessie (maybe coming from squeeze, true). But if you are upgrading, why not do it "right" if you can? you only can upgrade to wheezy directly. upgrade accross versions is not supported. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Accepted squid3 3.1.6-1.2+squeeze6 (source all amd64) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 29 Feb 2016 20:02:20 +0100 Source: squid3 Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi Architecture: source all amd64 Version: 3.1.6-1.2+squeeze6 Distribution: squeeze-lts Urgency: medium Maintainer: Luigi GangitanoChanged-By: Santiago Ruano Rincón Description: squid-cgi - A full featured Web Proxy cache (HTTP proxy) - control CGI squid3 - A full featured Web Proxy cache (HTTP proxy) squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files squid3-dbg - A full featured Web Proxy cache (HTTP proxy) - Debug symbols squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility Changes: squid3 (3.1.6-1.2+squeeze6) squeeze-lts; urgency=medium . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2016-2569: Denial-of-Service by wrongly handling of String data. * Fix CVE-2016-2571: DoS cuased by storing a certain kind of data after failing to parse a response. Checksums-Sha1: 6d36e7b0a91eea83aa6c02c7fa8a92f1813c50b3 1910 squid3_3.1.6-1.2+squeeze6.dsc 955aa00419c755baf10516d13f9666c30ce90e1a 33489 squid3_3.1.6-1.2+squeeze6.diff.gz 5ee6a8fefe0c64b22fb5175c5ecf90fd54d98428 195328 squid3-common_3.1.6-1.2+squeeze6_all.deb 1519251d39c6d67cdfc6a80018d7a3ba1e247be0 1508262 squid3_3.1.6-1.2+squeeze6_amd64.deb 9a6d763d531d53461e791e9823a401ed6607ed6a 5638330 squid3-dbg_3.1.6-1.2+squeeze6_amd64.deb 234673523bb1ca8d99826c61196b372dab3aa33a 106340 squidclient_3.1.6-1.2+squeeze6_amd64.deb dcb8dae20f2a347f26109c856459436659ce8a62 109020 squid-cgi_3.1.6-1.2+squeeze6_amd64.deb Checksums-Sha256: b5d0b4d4daf91feb216b968ab4ae6c25bdb979b6ace8ea24024ef8d45c37d817 1910 squid3_3.1.6-1.2+squeeze6.dsc 7357a72d607a6bb2b85023c404f76734ea55c6cc7b7e2504aaad8037d8ae1c37 33489 squid3_3.1.6-1.2+squeeze6.diff.gz 68d4662a3dbd4ef8c4c03a2c37b7b663dc253b3df821900b6ae2c95eafa5a099 195328 squid3-common_3.1.6-1.2+squeeze6_all.deb 3b0cd7bee8049ffede99f32a227042640d0f53bbcff5f8d2d60b1d0680be71bb 1508262 squid3_3.1.6-1.2+squeeze6_amd64.deb 089acffd35519bf64761a4ccbea5db132c96ef45d7c57ea4f69803eaf1dd4fbc 5638330 squid3-dbg_3.1.6-1.2+squeeze6_amd64.deb 897564979fcee6d5419bffcb1dd6737b105dbe7bcb62b9b182520558321cf431 106340 squidclient_3.1.6-1.2+squeeze6_amd64.deb 43e4e7d44924230c20ad758df55950e01b671424e3aa717c236aac3b9ddb3de9 109020 squid-cgi_3.1.6-1.2+squeeze6_amd64.deb Files: e65056df56afad2a2143548dc1725211 1910 web optional squid3_3.1.6-1.2+squeeze6.dsc aa58ba7c8c6607422017c5fb871f18f6 33489 web optional squid3_3.1.6-1.2+squeeze6.diff.gz 40a89a9d6e5c0eb9ac56b53ef9810da8 195328 web optional squid3-common_3.1.6-1.2+squeeze6_all.deb 1d54fac3381094d536b3911e292e3d31 1508262 web optional squid3_3.1.6-1.2+squeeze6_amd64.deb 0f4457261576d352fbf78e5ea820fab9 5638330 debug extra squid3-dbg_3.1.6-1.2+squeeze6_amd64.deb 062772d89a5faa04b5aaf34cc0125d67 106340 web optional squidclient_3.1.6-1.2+squeeze6_amd64.deb bb0b97e7e78db560e573619a9db3a9d0 109020 web optional squid-cgi_3.1.6-1.2+squeeze6_amd64.deb -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJW1JfdAAoJEN5v/bjI1ki9zbQQALbhlRT9vaj7Zo9GhIJVv10q A0xQdydd2atFRmCmdZXU9eWsbbG5PlgVaZfVn+cZgLtzq6alzDlSJC07jGDBhXJW 3MJLiNBnPr+1JWg1ZCw+msf8dbPkLn0r2YJx1boLqKoQ7zcQXe8eg+2bOfozdGsB 99IQIpT53nVNqGvWASb4Ei4GHsmDcP/GFUWam5+FbxTA5LWVhoZkjTFK8Oo3BIBB ohktBVYwZkvw9IGsNl088glTPLyKLhx8ioda2xTbzTthYFqT0zuFaCGuFNOyS715 f/ZwK5ri2CHH0Jm4SPkfMfFXcJiIDdhUVfzRDWad8JIJNstEnqRgNssAVJvoOp0i YVL+qy9+751JkaVW91RMyz/dCuC1HbAyRFw7i7PDxmSrt2kk1kwfVIW7WCaJoR3f ovW0kCUmp/Fl7yTWB3Xyg/pI0wY8Zvkmx25kd01kgdsjtyczVPs5t9E4scWKiCpx NI7shWaG+vKO12ZNd3FLzzFGXrUOVim+Je+mQ7Xxsu6Wg9DAw/gUoSuP5Oh/KwaZ 2GbttjKpaHz4PJ0Kx4ZBH5cQen1PfjyzVOupox5jwsLbfkebys+n+iBQcuiRnLZb pGwfXQzmvqTTAbR5BDYAiexDLBEhUfH2Glyf4g5/63hGs5hu4NQdLSs+M186Rv5s y5UxWQ1I4oZygznXkrB8 =9I/t -END PGP SIGNATURE-
Re: Wiki update LTS/Using and EOL announcement
Hi Markus, On 29-02-16 12:35, Markus Koschany wrote: > We recommend that you upgrade your systems to Debian 7 "Wheezy". /me wonders, do we really recommend that? I would say we recommend our users to upgrade to the current stable (via Wheezy), no? And wheezy-lts is there for those that can't or won't upgrade now from wheezy to jessie (maybe coming from squeeze, true). But if you are upgrading, why not do it "right" if you can? Paul signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 444-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php5 Version: 5.3.3.1-7+squeeze29 CVE ID : CVE-2015-2305 CVE-2015-2348 CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE-2015-2348 The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. CVE-2016-tmp, Bug #71039 exec functions ignore length but look for NULL termination CVE-2016-tmp, Bug #71089 No check to duplicate zend_extension CVE-2016-tmp, Bug #71201 round() segfault on 64-bit builds CVE-2016-tmp, Bug #71459 Integer overflow in iptcembed() CVE-2016-tmp, Bug #71354 Heap corruption in tar/zip/phar parser CVE-2016-tmp, Bug #71391 NULL Pointer Dereference in phar_tar_setupmetadata() CVE-2016-tmp, Bug #70979 Crash on bad SOAP request -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJW1JDjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHhsAP/01tI8DLJZXu8dDolHB//B1d SHOYxKZO7Y3vidVXyyGQdJ+WBai3Ho/yAPptNZpSb6ml9pQBV0atO9n2AYKOEFTo We3L8aEk1sUUC9PQnrT9z7yXOkAxrh/h09IQL1GtOCzZqSq1TXhqu7M6OvVx+m0T PCLY98kBeiGOkuccA9KkPBBMTkoq/T0MwWpzFB+vXHa5lc3p4BJRvu/7xvNiaSoh V4m2ebLInGk8C4yrRRJBl/vCJ4fUhBzCePhBhx/IkEcH0WmGuPv+Zh00UMOAaXZq 5tBaxW37bckg8MzlTbxuIBz6aoooVFzqfGfQrTr2MpM8U/QUOyu9Ew53HDQR5txb nU6odNJVv5gl1qk/IziTUep5Tysqu5ZuN2B6HvOSBJBUaM0zlt1yU2csx1ZYnKN9 LGUsWkXNEIN/eQ3BraGRD4QxAs8CWy+U+JvElsA1FG3aexeO/OZS+nATWzencqmh 81JuOzgnkqvy5e5Jz6zJwK8ogDQ0dYtBlVzZ4SKGOLgTH2GxJVLryV53dv57pJWo eSk5IpAacYvmyiIIutVtnosifpO0InbKMml79UwjvtSY1wiZj6Z1nXqF+aaxeGpu 4FNiiwVfpocpgncjTy+NKjUSJKOaKYi7A1WHsM1FBn38zvjE0G3qQm0ocQD625Eu /Vs7RK+4B1jxVZDH5of2 =xV7K -END PGP SIGNATURE-
working for wheezy-security until wheezy-lts starts
Hi all, as of today, the Debian squeeze LTS support will cease and squeeze will finally enter the archived archives of Debian. .oO( /me gets out his handkerchief ...) As (paid) LTS contributor you may wonder what to do next, esp. until the official Debian wheezy LTS support period starts on 26th April 2016. At least I did wonder about that, today... One thing, we can do, I guess, is helping out with the Debian Security Team regarding package updates in Debian wheezy. For this, we can run bin/lts-needs-forward-port.py from the secure-testing repo and see what issues we fixed in squeeze and port those fixes to the package version in wheezy-security. Package updates must be coordinated with the Debian Security Team, not within the LTS team, though: * prepare a fixed package * test the package * send a .debdiff to t...@security.debian.org * wait for feedback and ideally permission to upload to wheezy-security (Is the above said correct? Please elaborate, if not). Currently, we have these candidates of potentially easy-to-fix-in-wheezy packages: """ Issues that are unfixed in wheezy but fixed in squeeze: * aptdaemon-> CVE-2015-1323 * cakephp -> TEMP-000-698CF7 * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 * eglibc -> CVE-2014-9761 * extplorer-> CVE-2015-0896 * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E * gosa -> CVE-2014-9760 CVE-2015-8771 * gtk+2.0 -> CVE-2013-7447 * icu -> CVE-2015-2632 * imagemagick -> TEMP-0773834-5EB6CF * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 * inspircd -> CVE-2015-8702 * libebml -> CVE-2015-8790 CVE-2015-8791 * libidn -> CVE-2015-2059 TEMP-000-54045E * libmatroska -> CVE-2015-8792 * libsndfile -> CVE-2014-9756 CVE-2015-7805 * libstruts1.2-java-> CVE-2015-0899 * libtorrent-rasterbar -> CVE-2015-5685 * mono -> CVE-2009-0689 * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 * optipng -> CVE-2015-7801 * phpmyadmin -> CVE-2016-2039 CVE-2016-2041 * pixman -> CVE-2014-9766 * python-tornado -> CVE-2014-9720 * roundcube-> CVE-2015-8770 * srtp -> CVE-2015-6360 * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 Issues that are no-dsa in wheezy but fixed in squeeze: * augeas -> CVE-2012-0786 CVE-2012-0787 * binutils -> TEMP-000-A2945B * busybox -> TEMP-0803097-A74121 * chrony -> CVE-2016-1567 * dbconfig-common -> TEMP-0805638-5AC56F * dwarfutils -> CVE-2015-8750 * foomatic-filters -> TEMP-000-ACBC4C * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C * libemail-address-perl -> TEMP-000-F41FA7 * libfcgi-perl -> CVE-2012-6687 * librsvg -> CVE-2015-7557 * libsndfile -> CVE-2014-9496 * libunwind-> CVE-2015-3239 * openslp-dfsg -> CVE-2012-4428 * openssh -> CVE-2015-5352 CVE-2015-5600 * php5 -> CVE-2011-0420 CVE-2011-1657 * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 CVE-2015-5288 * python-scipy -> CVE-2013-4251 * python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912 * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 CVE-2015-1860 * remind -> CVE-2015-5957 * ruby1.8 -> CVE-2009-5147 * ruby1.9.1-> CVE-2009-5147 * t1utils -> CVE-2015-3905 * texlive-extra-> CVE-2012-2120 * tomcat6 -> CVE-2013-4590 * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749 """ I am posting this CVE/package list here on purpose, because the said script may not be working anymore, once the squeeze Debian package repo section has been moved to archive.debian.org. Furthermore, as it seems, we need to modify some bits and pieces in the secure-testing repo to get our workflow up-and-running for Debian wheezy LTS. Is anyone already working on that? What is the current status? Has there already been a discussion that I am not aware of about how the LTS team can work on wheezy-security updates in a coordinated fashion until the 26th of April? If there has not been a discussion, yet, we should sort this out during this week. My proposal would be to prepare the Debian wheezy LTS workflow in the secure-testing SVN repo, so that our upcoming workflow can be very similar to what we are used to. For the interim phase until the 26th
[SECURITY] [DLA 443-1] bsh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: bsh Version: 2.0b4-12+deb6u1 CVE ID : CVE-2016-2510 A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. For Debian 6 "Squeeze", these problems have been fixed in version 2.0b4-12+deb6u1. We recommend that you upgrade your bsh packages. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJW1FwTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkp78QALYrnVIaBJW3AAImW147+9Zf Jc8Y6bioIqoxPpGB5HeIAZ1D1eWq8qMIwNUQW4PCI18m/OzeUxHWYsJ30fzFowCg rervz9JbdA/a9fIZChwyNmvOfIiakrYIl9w6QXZF0FZyVcNEL+wwJsnIA5Mjdi/4 YaNfHkqxdKJ+Y6+kf9ftLUNZOeEQFaLyaUJqkMeIErRUZSKcn164HXS8Q/KgelSm SbMJ++6Ha/7PQGEwsO2uyu7CFkZlE5PirPvAQn9DrRaDzEigSqkHNdJVqpK7MBRY bxmZ2U5BcEFkwjJG8sTxYsGDRgvwvI3RJIu5Qxn5jFSvk1+Yac9uNyB6rd+1hb47 TyAkYikfcSh8DBV/epTxqFfJZuBviSEWa4cL7I0+ze+p397t2VCK/2Fz6J1rL2Qd YBB8T1wxZbQjtvp7JQTk6X0QN6owW23u5DPji1QnwoLr0UaV3thWUk5apE/o89/+ jpW+rfh+7AB3CZe8jDdzQvQL66ZHzIHBYATCMedxNReLVm7ZqJUJ8JDrs3qRua/C rgFDS5d1dQWNPfY3rM1EKyIUjsmm8M05K80Wf47hc6zuvNf2xYF1mE2LZkbFRtGX y92GQFUNgKiWzyhctiQIu//ubv5z4aYTEj5WHfNh7G0vSolgTbrmtsKU4v/zyEQE aKOrddNlAaRTtbzeBWts =aF56 -END PGP SIGNATURE-
Re: Unsupported packages for Wheezy LTS
Am 29.02.2016 um 15:17 schrieb Raphael Hertzog: > On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote: >> Another package which needs to be sorted out is the support for >> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only >> -7 and stretch will also only have one version). > > I asked our current sponsors about OpenJDK 6 and none asked > us to keep supporting it. They are satisfied with having only > OpenJDK 7 supported in wheezy. > >> sense to only support openjdk-7 in Debian LTS. Some rdeps in >> wheezy will not allow that, but I think most people use openjdk >> to run external java apps and not the Java apps packaged in >> Debian (with maybe Tomcat as the exception). > > Yes, we need to investigate that. I just stumbled on a few packages > with "openjdk-6-jre | java6-runtime" in their dependencies (like > "entagged" or "389-console"). > > A complete list should be made to see the impact and decide what should > happen to those packages... Matthias Klose, the OpenJDK maintainer, stated that he intends to support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I think it should be feasible to mirror this approach for Wheezy LTS provided everyone agrees to keep OpenJDK 6 supported until then. We discussed the switch to OpenJDK 7 last month [2] and I think the problematic packages are only those that strictly depend on openjdk-6-jre like tunnelx and rcran-r-java. Everything else that declares an alternative dependency on java6-runtime or default-jre should be fine because OpenJDK 7 provides these dependencies. In addition I would also suggest to add Tomcat 6 to the list of unsupported packages when it is declared EOL on December 31, 2016 [3] and recommend the switch to Tomcat 7. Regards, Markus [1] https://lists.debian.org/debian-java/2016/01/msg00069.html [2] https://lists.debian.org/debian-lts/2016/01/msg00112.html [3] https://tomcat.apache.org/tomcat-60-eol.html signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 442-1] lxc security update
Package: lxc Version: 0.7.2-1+deb6u1 CVE ID : CVE-2013-6441 CVE-2015-1335 Debian Bug : #800471 Brief introduction CVE-2013-6441 The template script lxc-sshd used to mount itself as /sbin/init in the container using a writable bind-mount. This update resolved the above issue by using a read-only bind-mount instead preventing any form of potentially accidental damage. CVE-2015-1335 On container startup, lxc sets up the container's initial file system tree by doing a bunch of mounting, guided by the container's configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. This update implements a safe_mount() function that prevents lxc from doing mounts onto symbolic links. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: Digital signature
Re: Unsupported packages for Wheezy LTS
On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote: > Another package which needs to be sorted out is the support for > Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only > -7 and stretch will also only have one version). I asked our current sponsors about OpenJDK 6 and none asked us to keep supporting it. They are satisfied with having only OpenJDK 7 supported in wheezy. > sense to only support openjdk-7 in Debian LTS. Some rdeps in > wheezy will not allow that, but I think most people use openjdk > to run external java apps and not the Java apps packaged in > Debian (with maybe Tomcat as the exception). Yes, we need to investigate that. I just stumbled on a few packages with "openjdk-6-jre | java6-runtime" in their dependencies (like "entagged" or "389-console"). A complete list should be made to see the impact and decide what should happen to those packages... Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
[SECURITY] [DLA 441-1] pcre3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pcre3 Version: 8.02-1.1+deb6u1 Debian Bug : 815921 HP's Zero Day Initiative has identified a vulnerability affecting the pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has not been assigned yet. PCRE Regular Expression Compilation Stack Buffer Overflow Remote Code Execution Vulnerability. PCRE did not validate that handling the (*ACCEPT) verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow. For Debian 6 "Squeeze", these problems have been fixed in version 8.02-1.1+deb6u1. We recommend that you upgrade your pcre3 packages. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJW1EoTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkyIIQALXVcVfIppUJJk/maYTs2/i4 yS0KfnhHnaXXaE1Bfmk4bgQvLKehBgE2WGCQUz2WzCWS8P69HKJviPDlS8VnwZxg 7B9l5FUfX8G+eiQcrQWBv+cF5eKijFphqdm69i2aENEC4R1+PQeYOuuOBR0h8ysQ ZdCuRmEPeIfCD0D18OjJ+oF0yJbtcS6pVGto+272P1rsZhY7TZJo2hcgfPxYjTNC u02sOkd6rXoiANFKkBmJ71qQCt1ftwgWJ4PyPUZVaHmdpyLADDM5KLn2EASaEte9 1LZgIMUfDILdh/L4SU+S7C+Pp93Xl0A6F6jmbOTTBDwYZcH3ht/2Ff1eb27XSu3t VOHmCYswQSTGAjP4LiOKe3XGbof7LfdWBehdL1O1642SQtGl0YtjhKAizR0NBIOw gXi0L3NzTC0rLEd78X2SfHV57HHeqUF/BnFXNJe6ELG+xn08c7BmaYpaAE0hGYYK jdxpnPrh5RR/dKBAyZV8wGfwAZ6ArahQkWvUm65FaNeK1AQnm6ZmoeQf/cP8XV/t LNO8RPDaQB/1kT8Rmba+U0S/kupWP/iIBt3RuJG6vV5zDJQc1v0lKCSIp0APPAY3 Ih4RZJJy/rWSdoMwDnrYNISSokJXCa+7VODJJbhfhr12PHePCX8iDuhI5g0RHhgT wbiG+gwbVoNnmBNHhcH6 =UNG2 -END PGP SIGNATURE-
Accepted bsh 2.0b4-12+deb6u1 (source all i386) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 29 Feb 2016 12:59:05 +0100 Source: bsh Binary: bsh bsh-gcj bsh-doc bsh-src Architecture: source all i386 Version: 2.0b4-12+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Debian Java MaintainersChanged-By: Markus Koschany Description: bsh- Java scripting environment (BeanShell) Version 2 bsh-doc- Documentation for bsh bsh-gcj- Java scripting environment (BeanShell) Version 2 (native code) bsh-src- Java scripting environment (BeanShell) Version 2 (source code) Changes: bsh (2.0b4-12+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2016-2510. An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. Checksums-Sha1: 3de393df4e6eb989e0a9a3676157ce5540dc0d45 2069 bsh_2.0b4-12+deb6u1.dsc 227b9e694a110075d023e013fc3c672b94169460 9096 bsh_2.0b4-12+deb6u1.debian.tar.gz 83eee716310250bfd20d5ef9a005c2620c8b111b 270696 bsh_2.0b4-12+deb6u1_all.deb 2dd4227df41b772c02c0f1e870e749244802cc9c 422198 bsh-doc_2.0b4-12+deb6u1_all.deb 11cf0a93c023e081f5066a2d081b78c45aada546 836072 bsh-src_2.0b4-12+deb6u1_all.deb 23abe7b31de747c5d92f577b265d5ba67292f6ef 360178 bsh-gcj_2.0b4-12+deb6u1_i386.deb Checksums-Sha256: 799cd893a68a748fb30a774d38272a6f94554cb7a482650bb1a15adef8cb0b45 2069 bsh_2.0b4-12+deb6u1.dsc 490dfac19faf7a89496acbc1c497190b38109487f7e0b5204eb1479883c40f51 9096 bsh_2.0b4-12+deb6u1.debian.tar.gz 73b3da5565832155958fd18ca50cce842ba5b727e09cffce1ed1c9616f835430 270696 bsh_2.0b4-12+deb6u1_all.deb 1fae8ff921141c03a62d9a6d429984ea772eacb6a9f28b743a34135eece46a10 422198 bsh-doc_2.0b4-12+deb6u1_all.deb 277c0b07f17901b37500025d2eb85ef50531277840083e96ccf8a54c89993373 836072 bsh-src_2.0b4-12+deb6u1_all.deb 3650b72260d6e88e37ca36eb298327503dbd2da7747e7714f8300c73f1b7aec6 360178 bsh-gcj_2.0b4-12+deb6u1_i386.deb Files: c5debd2bd9310e552627619878a4b002 2069 java optional bsh_2.0b4-12+deb6u1.dsc 8c7d2c6b4bc6974150e21b6b1d2df8df 9096 java optional bsh_2.0b4-12+deb6u1.debian.tar.gz 657f4e78d136aa3f02098cef12da54d7 270696 java optional bsh_2.0b4-12+deb6u1_all.deb 46aa7ee9ebfdb083ab5f9414664c7174 422198 doc optional bsh-doc_2.0b4-12+deb6u1_all.deb 808b48a1bb416dff62dcc24c664fdc63 836072 java optional bsh-src_2.0b4-12+deb6u1_all.deb 2b1ece331b284874513d7c9577279ee9 360178 libs optional bsh-gcj_2.0b4-12+deb6u1_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQJ8BAEBCgBmBQJW1D1SXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HknGQP/R1+81lXTaOUb4hUpZXtRpE+ BaP60OPK4g0r1244lKrBM32y8nvpwd4S44yV6pAy84hO/I/xeIMTw0zOEqBxo4oV Yoz9ngnrMA0GHxEnM5L00cRhXUCN1VIAyAXJa/R8R29y23k62WRHN2SmOfhCH+BP oqf8NzaKAS5DPrpJf8nAZVv1wU8tR90PcjUqfwzWt+m/WtdYhrtNmTtTYVw5JBmW xQSaSEFgOattPxrqet42J0h1MErb1QnkL6RzRDs3Lfcjb3YtkHHWgHtBkKPREhoY 2UL/KsrsaC8V1GLr6iAZzy+irafC6yVuS2RubWKpqKyeBhLXezLzkSH1SFWlaEEi oQoFJJIi28Qus44wHWW23/IrTDGfRAHdrNGvJqhRQU+X+43mSJ9Pc0O2yEFfBfBf EII7KT54Myf8dK9tRQKYUQoOcLly8/bXTCFM1pp0OALUlhoV2P6Gyp1k9TwEK/qh FZjUvoGtlzJoklqV1dBT6ckRX9aV68tfabdr5wspvq3qNYsZktvi0G50vT5Ov3n8 D7c++X5Zyd/fqXvMjKDuUgzD3n5OJ3ITMy87v0Xpi/C8LC+ibiPouD9P12T9bKqL LSUoZvCo8QQVZmwiynbVDnahjNr2YomRzFZfoGPEJJnFtDAWuIK/N4NeDwIFeX3a m7++FQMzVJeSTslj7KRa =3yJe -END PGP SIGNATURE-
Accepted lxc 0.7.2-1+deb6u1 (source amd64) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 04 Dec 2015 16:17:06 +0100 Source: lxc Binary: lxc Architecture: source amd64 Version: 0.7.2-1+deb6u1 Distribution: squeeze-lts Urgency: medium Maintainer: Guido TrotterChanged-By: Mike Gabriel Description: lxc- Linux containers userspace tools Closes: 800471 Changes: lxc (0.7.2-1+deb6u1) squeeze-lts; urgency=medium . * Non-maintainer upload by the Debian LTS team. * debian/patches: + Add CVE-2015-1335.patch. Backport safe_mount support. Protect container mounts against symlinks. Resoled CVE-2015-1335. (Closes: #800471). + Add CVE-2013-6441.patch. Use read-only permissions when mounting /sbin/init. Resolved CVE-2013-6441. Checksums-Sha1: ad811a7fbb1c70c328356856acbef2813d737b6f 1749 lxc_0.7.2-1+deb6u1.dsc 75dfc113a576fa15d46a3736ff788a168de0b258 266877 lxc_0.7.2.orig.tar.gz ed09487ae2f4b6d8912fbfddbb413357625c73cd 10818 lxc_0.7.2-1+deb6u1.debian.tar.gz 0e101694c5fa957596cc4d14381c106b9269656c 142220 lxc_0.7.2-1+deb6u1_amd64.deb Checksums-Sha256: 56a9265a4894b892e2d3eb3bedc65cb6964684fa3099a228ee0167d5b7b1a400 1749 lxc_0.7.2-1+deb6u1.dsc 0660edbc08d74275968cb18c8e634aafd6f1ad395419e037d7018f2b1d669b1a 266877 lxc_0.7.2.orig.tar.gz 026a61f4a9f20ff8077fec26310308cc6425484057624ac0113f5d48d79648a9 10818 lxc_0.7.2-1+deb6u1.debian.tar.gz 38fd5bd4ca5b14a57dfb43e23e792b17ed20e55333ba565acbb23a3d2119af50 142220 lxc_0.7.2-1+deb6u1_amd64.deb Files: e96437dc8c4769a36a257c8a85e01245 1749 admin optional lxc_0.7.2-1+deb6u1.dsc 5c9c6889ba1255217078ea5d1aaf0c82 266877 admin optional lxc_0.7.2.orig.tar.gz 26b977f71ffeea672b74309285442981 10818 admin optional lxc_0.7.2-1+deb6u1.debian.tar.gz 3fb351d3dee78fa896524a12472ea1db 142220 admin optional lxc_0.7.2-1+deb6u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJW1DmHAAoJEJr0azAldxsx4cEQAIs6f+3taDlHq+rwT26YbCdg J0119WqKb/ASSj1gRUrXIET68d6zyiFhcqAtMisLOvxQqmHZZ5piRctzL+6wOhZu 47F3b9S4kaz4CypNy4fHSj6i7outU8AE1O5mIzwmxqiA1knGPT8iP+aRj/l4J/JC OWq+oXgYnlVJLrUFBb1l+6uDVY56G1RK+7ASoMIWaW3ow2PC+bhNK4FcAwCQkdai nnqdQ72IXIaRhtA6LCqwV+zgSEpgNUR7WP3mJkiWIEiATKYu3KOfhTbsJ0UNPB6U jFxG0OtptKIFdo5JnwJkM3VjrUpoFniq6eC2t+bBPLfQ6EWtZxzR64pkT5VVagcO D8C7+0E6kwCJgsYzUQxUw/tHiKEQV2y89BA5iuxwJOOqkXoYPYntYdAiE41m/zQa h7+xOaxho3AiRXE3aaAD1kqLYePajOqV6y9xBRNpP3+dR0a+ZhwBxK0ehlta8uDD OuLCsVB9nVfUuElc6C0+5X+bQyw3qVdKObD/5sDxyyLCgie3QOSGJSuYYi/bjmbG TpNTMza5wFc1u0vMHbdCdNJH5RZrSRO4Mp5Fr04lQtjGTYHL4gI8EECrHdIZGOjI rIO0XOmoTu7PzJR7jERjhhcGWfpaM6MiSJvREmfY1fhove7fMVgqxH8VwGMIFQhG Yj7ZjEbmdx6R4tomjCUe =oVMt -END PGP SIGNATURE-
Re: Wiki update LTS/Using and EOL announcement
Am 28.02.2016 um 18:12 schrieb Holger Levsen: > Hi Markus, > > On Sonntag, 28. Februar 2016, Markus Koschany wrote: >> I have updated https://wiki.debian.org/LTS/Using to prepare for the >> switch to Wheezy LTS. What do you think about sending an EOL >> announcement to debian-lts-announce on March 1st? We could simply reuse >> the official NEWS post [1] and would probably reach those people who >> normally don't read news on debian.org. > > seems like a great idea to me. Can you do it? ;-) > Yes, I can. :) Here is my proposed draft. Subject: [SECURITY] Debian 6 Squeeze has reached end-of-life The Debian Long Term Support (LTS) Team hereby announces that Debian 6 ("Squeeze") support has reached its end-of-life on February 29, 2016, five years after its initial release on February 6, 2011. There will be no further security support for Debian 6.0. The LTS Team will prepare the transition to Debian 7 ("wheezy"), which is the current oldstable release. The LTS team will take over support from the Security Team on April 26, 2016. Debian 7 will also receive Long Term Support for five years after its initial release with support ending on May 31, 2018. We recommend that you upgrade your systems to Debian 7 "Wheezy". Instructions can be found at https://wiki.debian.org/LTS/Using Debian and its LTS Team would like to thank all contributing users, developers and sponsors who are making it possible to extend the life of previous stable releases, and who have made this LTS a success. If you rely on Debian LTS, please consider joining the team, providing patches, testing or funding the efforts. More information can be found at https://wiki.debian.org/LTS/ signature.asc Description: OpenPGP digital signature